Although we have detailed guide on the same topic, there is necessity of an updated detailed guide for many users. Here Are the Detailed Steps & Commands on How to Install or Renew SSL Cert on Ubuntu 18.04, Apache 2.4. SSL Cert Provider Can Be GeoTrust, RapidSSL, Comodo Like CA. For this guide, we are assuming that the reader can manage own server via SSH and used with basic server management. We are strictly limiting this guide to paid DV or EV SSLs like from GeoTrust, RapidSSL, Comodo. Trial of those SSL/TLS will be same. This guide is not for Let’s Encrypt. Make sure that you have DNS CAA Record of the CA you going to use. RapidSSL and GeoTrust Quick Premium differs by root CA.
How to Install or Renew SSL Cert on Ubuntu 18.04, Apache 2.4
Obtaining certificate starts with generating CSR (Certificate Signing Request) file, which requires to create private key as initial step.
Those who will renew, they already have a private key. Unless there is reason, they can use that private key to generate the CSR (Certificate Signing Request). Old CSR (Certificate Signing Request) file generated from the old private key can be used for the purpose.
To generate a CSR, we need to create a key pair for our server. These two files are a digital certificate key pair – public and private. If we loss public/private key file or forget password, the fingerprint of SSL Certificate will no longer match and that is dangerous for public key pinning (HPKP).
We recommend tho use a 2048 bit key using OpenSSL utility on server. For generation of password-less (non-encrypted key) type the following command :
|
1 |
openssl genrsa -out private.key 2048 |
For an encrypted key use the below command :
|
1 |
openssl genrsa -des3 -out private.key 2048 |
The Fuss of Password on Apache Server
Note that, Apache2 does not by default easily support password in private key. You’ll need to perform extra steps to make Apache2 using encrypted (with password) private key. Else Apache2 will throw odd error on restart. You need these on your virtual server configuration file :
|
1 2 3 |
# any of these will work SSLPassPhraseDialog |/path/to/password-script SSLPassPhraseDialog exec:/path/to/password-script |
That password-script is a simple script with this content :
|
1 2 |
#!/bin/sh echo "your password here" |
Make the script executable :
|
1 |
chmod +x /path/to/password-script |
The above is for protecting the private key for commercial sites. For ordinary sites, we need password free private key. If you wrongly created private key protected by password, you can create password free private key from the old password protected file with the below command :
---
|
1 2 3 4 5 |
cp private.key backup_private.key # encrypted_private.key, non-encrypted_private_key are names to indicate files openssl rsa -in encrypted_private.key -out non-encrypted_private_key.key chmod 400 non-encrypted_private_key.key # you can use filename as private.key for easiness |
You’ll get the above instructions in document site of Apache 2.4 (linked to Apache2 site).
Generate CSR (Certificate Signing Request) File
Type the following command :
|
1 |
openssl req -new -key private.key -out yourdomain-example.com.csr |
It will ask you questions.
Country Name: Use the two-letter code without punctuation for country, like US, IN, CA.
State or Province: Full name of the state or province name, like California, West-Bengal
Locality or City: Just the city or town name, like Saint Louis, Kolkata
Company: You can omit it or write the name like TCW Corporation.
Organizational Unit: Optional field, for value like IT. Press Enter on your keyboard to skip.
Common Name: The Common Name is most important. It is domain name like thecustomizewindows.com. For wildcard certificate request, the syntax should look like *.thecustomizewindows.com
Do not enter your email address, challenge password or fill optional fields when generating the CSR. If those needed then the CA would instruct you. You’ll have
So at this step, we have private key, CSR file. Run cat on the CSR file, copy it and fill web form of CA to obtain SSL certificate.
As for GeoTrust, RapidSSL; you’ll receive email with your domain’s certificate in PEM format. There will be link to download the intermediate certificate. Open the web page of intermediate certificate.
The Final Steps
Go to the server directory where you have those private key, CSR files. You can keep them on directory like :
|
1 |
/usr/local/ssl/crt/ |
Copy the content of certificate sent by GeoTrust, RapidSSL, Comodo to you via email, open text editor on SSH and paste the content. Save the file :
|
1 2 |
nano public.crt # paste and save |
Copy the content of intermediate certificate pointed by GeoTrust, RapidSSL, Comodo to download via email, open text editor on SSH and paste the content. Save the file :
|
1 2 |
nano intermediate.crt # paste and save |
So our path :
|
1 |
/usr/local/ssl/crt/ |
Has four files :
|
1 2 |
ls -al intermediate.crt private.key public.crt yourdomain-example.com.csr |
We will generate Diffie-Hellman key (the command will take time to end) :
|
1 |
sudo openssl dhparam -out dhparam.pem 2048 |
Essentially you need virtual host and mod SSL activated in the way we directed in our TLS guide for Let’s Encrypt , for that repo’s Apache2, we have http2 module too:
|
1 2 3 4 5 6 |
a2enmod http2 systemctl restart apache2 a2enmod ssl systemctl restart apache2 a2ensite default-ssl systemctl restart apache2 |
Create a file named ssl-apache.conf in /usr/local/ssl/crt/ directory with this content :
|
1 2 3 4 5 6 7 8 |
SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite (find latest cipher suitable for you and add here) SSLHonorCipherOrder on SSLCompression off SSLOptions +StrictRequire LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common |
Save the file.
Now, go to /etc/apache2/sites-available/ and run a ls -al to realize which config file you are using. Open to edit that file to add the below content :
|
1 2 3 4 5 |
### Start third party SSL cert block SSLCertificateFile /usr/local/ssl/crt/public.crt SSLCertificateKeyFile /usr/local/ssl/private/private.key SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt ### End third party SSL cert block |
The end configuration will be looking like this :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
<IfModule mod_ssl.c> <VirtualHost *:443> Protocols http/1.1 h2 ServerName jima.in ServerAdmin webmaster@localhost DocumentRoot /var/www/html/jima.in ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined ### Start third party SSL cert block SSLCertificateFile /usr/local/ssl/crt/public.crt SSLCertificateKeyFile /usr/local/ssl/private/private.key SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt ### End third party SSL cert block SSLOpenSSLConfCmd DHParameters "/usr/local/ssl/crt/dhparams_4096.pem" SSLOpenSSLConfCmd ECDHParameters secp384r1 SSLOpenSSLConfCmd Curves secp521r1:secp384r1 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomainsi; preload" Header always set X-Content-Type-Options nosniff Header always set X-Frame-Options SAMEORIGIN Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure Include /usr/local/ssl/crt/ssl-apache.conf <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/html/jima.in> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet </IfModule> |
Run configuration test :
|
1 |
apachectl -t |
If syntax is OK then restart Apache :
|
1 |
service apache2 restart |
Test your site on :
|
1 2 |
https://www.ssllabs.com/ssltest/analyze.html https://securityheaders.io |
If you face trouble in setup, then ask on StackExchange, ServerFault like Q&A sites pointing to our site at the step you have messed up. Apache2 is commonly used webserver and whole earth knows about common errors.
About Abhishek Ghosh
Here’s what we’ve got for you which might like :
Additionally, performing a search on this website can help you. Also, we have YouTube Videos.
Take The Conversation Further ...
We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!
If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.
Contact Us